From c4ea0c157fcf9099c5652a2ed5a79b8f62feb5da Mon Sep 17 00:00:00 2001 From: OTABI Tomoya Date: Sun, 28 Dec 2025 12:05:26 +0900 Subject: [PATCH] fix(darwin): skip stripping to preserve code signatures instead of ad-hoc re-signing (#188) --- package.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/package.nix b/package.nix index 9beaaba..efc1900 100644 --- a/package.nix +++ b/package.nix @@ -71,12 +71,6 @@ mkdir -p "$out/Applications/${applicationName}.app/Contents/Resources/distribution" ln -s ${policiesJson} "$out/Applications/${applicationName}.app/Contents/Resources/distribution/policies.json" - # Re-sign with correct identifier to maintain AdGuard compatibility - # AdGuard uses code signing identifier (not CFBundleIdentifier) to recognize apps - /usr/bin/codesign --force --deep --sign - \ - --identifier "app.zen-browser.zen" \ - "$out/Applications/${applicationName}.app" - # Use symlink path to avoid installs.ini accumulation on Nix rebuilds # The symlink is created by home-manager and remains stable across rebuilds cat > "$out/bin/${binaryName}" << EOF @@ -215,6 +209,12 @@ in # Firefox uses "relrhack" to manually process relocations from a fixed offset patchelfFlags = ["--no-clobber-old-sections"]; + # Stripping invalidates macOS code signatures. We avoid strip-and-re-sign + # because /usr/bin/codesign is inaccessible in the Nix sandbox. This also + # preserves the original code signing identifier that tools like AdGuard + # use (not CFBundleIdentifier) to recognize apps. + dontStrip = stdenv.hostPlatform.isDarwin; + preFixup = '' gappsWrapperArgs+=( --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ffmpeg_7]}"